What is the Timeline for the FedRAMP Process?
Published 02/15/2023
Originally published by Schellman.
Written by Andy Rogers, Schellman.
Ever watched Jeopardy? Even if you haven’t, you’re likely familiar with the iconic theme music that plays every time contestants deliberate over their answers—it’s such an iconic tune that it’s become synonymous with waiting for a conclusion that takes quite a while.
Endeavoring for compliance with the Federal Risk Assessment Management Program (FedRAMP) is one such drawn-out conclusion—it takes time to complete this process, but how much? How long will the Jeopardy theme play?
Before you commit to achieving FedRAMP Authority to Operate (ATO), it’d be helpful to know what you’re getting yourself into. In this article we will outline the anticipated timeline for what we’ve separated into 4 major phases of FedRAMP—these include the development and preparation of your system, agency sponsorship, execution of an assessment, and the review(s) that yield Authority to Operate (ATO), as well as the continuous monitoring responsibility for your authorized system.
As things move along during your FedRAMP journey, it may—at times—feel like one long pregnant pause with the Jeopardy theme playing. But having read this, you’ll have an understanding of how to get from cradle to grave in the FedRAMP process so you’ll know for sure what step is coming next while you wait.
What is FedRAMP?
Just to lay the groundwork, here’s what you need to know about FedRAMP:
- It’s geared toward Cloud Service Providers (CSPs) that want to do business with the U.S. federal government.
- The standard is designed to safeguard cloud systems with security commensurate to the sensitive data that may be stored, processed, managed, and transmitted within the system.
- Each system that is assessed has an applicable Federal Information Processing Standard (FIPS) 199 risk designation of High, Moderate, or Low depending on the data being processed. These risk levels have considerable variance in the number of security controls:
There are two ways to get FedRAMP ATO—through either agency sponsorship or the Joint Authorization Board (JAB). Since the agency route is more common, we’ll proceed through the phases of the process assuming you’ll be going that way too.
The 4 Phases of FedRAMP
Phase 1: System Development and Preparation
Once you’ve determined your risk designation, you can proceed through the 3 phases of FedRAMP, and that starts with developing your Cloud Service Offering (CSO). The time this takes can range depending on the complexity of the system, but know that using a defense-in-depth methodology when building the system is extremely important if you don’t want to extend your timeline considerably.
Because FedRAMP assessments are some of the most difficult, take longer, and tend to be more expensive than average, developing your CSO with the NIST 800-53 controls in mind can prevent considerable rework, or worse, necessary rearchitecting of your environment to ensure you meet the “spirit” of the FedRAMP controls. But if your system is already developed, you may want to perform/have someone perform a gap assessment to better understand if you are truly meeting FedRAMP requirements before moving forward.
In some cases, hiring an experienced advisor can shorten this timeline—these consultants have interacted with the FedRAMP Project Management Office (PMO) and understand the federally mandated “showstoppers” (a.k.a. things that will derail your ATO).
Phase 2: Agency Sponsorship
In any case, once your offering is ready to go live, you’ll need to secure an agency sponsor. Without one—or, as we mentioned earlier, authorization from the JAB—the furthest you’ll be able to get is FedRAMP Ready status, which is not an ATO. (If you’re FedRAMP Ready, you’ve proven you have a system meeting the federal mandates and ready at either the Moderate or High baseline but will still need an agency sponsor to move forward to In Process and eventually Authorized).
Because success with an agency looks different for everyone, we can’t accurately provide a timetable for how long this will take.
Phase 3: Security Assessment – 7-9 Weeks (Approximately)
But once you do secure an Agency sponsor, you can now proceed through a full initial FedRAMP Security Assessment, and we can provide a rough timeline for that.
Before you get started, you’ll need an American Association for Laboratory Accreditation (A2LA) accredited 3PAO to perform the assessment—the full FedRAMP Security Assessment Report (SAR) process can be broken into the following stages:
Security Assessment Plan (SAP)
(1 Week) | The 3PAO drafts the SAP and submits to the CSP for their approval. In some instances, the sponsoring agency will also request a review prior to finalizing. Once finalized, the SAP is signed by the 3PAO and the CSP. This step is critical as the SAP defines the assessment activities and includes key items such as the Rules of Engagement. At this stage, there are expectations that the CSP will have provided certain audit evidence such as the System Security Plan (SSP), system inventory and other items required for populating the details of the SAP template. |
Control Owner Interviews
(1-2 Weeks) | Once the SAP is in place, remote or in-person interviews and evidence collection through live screen shares will take place. Interviews can range anywhere from one to two weeks depending on the complexity of the system and FIPS-199 baseline. The requisite penetration testing will also kick off during this time after coordinating the details and putting into place the proper authorizations. |
Evidence Analysis, Controls Testing and Penetration Testing
(6-8 Weeks) | At this point, your 3PAO will begin in-depth testing, analyzing both the evidence you submitted as well as what they collected live, which includes vulnerability scans and compliance scans. The penetration test continues through this stage of the assessment. |
SAR and Risk Exposure Table Delivery
(2 Weeks) | Once testing is wrapped up, your 3PAO will provide a draft SAR as well as the Risk Exposure Table documenting the findings from the assessment. You should ensure that any remaining supplemental control implementations (mitigating factors) are brought to your 3PAO’s attention to help reduce or mitigate the documented risks. Once you and your 3PAO are in agreement, the SAR will then be finalized and provided to the sponsoring agency and FedRAMP PMO for their respective reviews. |
Phase 4: Agency Review and PMO Review – 6-8+ Weeks
After you’ve completed the assessment and the SAR is finalized, the SAR and supporting details are submitted as the “authorization package” for review to the sponsoring agency and FedRAMP PMO for their respective reviews.
Given the number of CSPs pursuing FedRAMP ATO, it’s common that a sponsoring agency and the FedRAMP PMO have a number of packages in their queue for review. Because of this and depending on the sponsoring agency, the completion of both reviews can take more than six to eight weeks.
After completion of the reviews, there will be a meeting that includes the FedRAMP PMO, your sponsoring agency, 3PAO and you as the CSP to review feedback from the FedRAMP PMO and discuss any questions. This review often results in a revision of the SAR to ensure that all are in agreement with the results and the details contained within.
Once updated, the SAR and any other supporting documentation that has been updated are submitted to the PMO for an additional review. The ideal outcome from the resubmission is to receive an email notification within a few weeks from the FedRAMP PMO letting you know that your CSO has been granted an ATO. The ATO will allow you to provide your CSO to your sponsoring agency, and it will be listed on the FedRAMP Marketplace with its applicable ATO. Given the number of variables that factor into the review process, the duration can vary widely based on the queue mentioned above and the feedback received.
Next Steps for FedRAMP ATO
At this point, you may believe you’re done—the Jeopardy theme will stop playing, the conclusion having been reached. But as long as your CSO is providing services to a federal agency, you will be subject to the annual assessment requirement to assess a subset of the full initial controls—this usually takes 10 – 12 weeks from start to finish, so it’s a little shorter than the full assessment.
In any case, the process of getting FedRAMP ATO is neither easy nor short, as you now understand. Just the assessment and review periods can take more than three months each, and that doesn’t factor in time spent preparing your offering, however long that may take. No matter what, you’ll need to ensure you have enough time and expertise to get your CSO up to standard so that all your efforts end successfully.
To learn more about FedRAMP, read our other content that can help you further simplify your approach and experience:
Related Articles:
Establishing an Always-Ready State with Continuous Controls Monitoring
Published: 11/21/2024
5 Big Cybersecurity Laws You Need to Know About Ahead of 2025
Published: 11/20/2024
Managing AI Risk: Three Essential Frameworks to Secure Your AI Systems
Published: 11/19/2024
9 Tips to Simplify and Improve Unstructured Data Security
Published: 11/18/2024